John Siu Blog

Kubernetes user setup (certification-based authentication) and RBAC setup of the same user.

Reference

• Role based access control (RBAC) policies in Kubernetes
• Controlling Access to the Kubernetes API
• Kubernetes Authenticating

• kubectl is a client. It need connection information to communicate with a kubernetes cluster.
• <USER>, <GROUP> in this document are NOT OS(linux/windows) level user/group.

Authentication - User Management

• k8s provides no api objects for users
  • Certificate-based authentication
  • Token-based authentication
  • Basic authentication
  • OAuth2

We will focus on Certificate-based authentication.

Certification-Based Authentication

Cluster CA

• Public certificate location:

  1	/etc/kubernetes/pki/ca.crt

• Private key location:

  1	/etc/kubernetes/pki/ca.key

Certificate signed by this CA will be accepted by the Kubernetes API.

Create User (Certificate with OpenSSL)

• Certificate Common Name (CN): Kubernetes use this as <USER>.
• Certificate Organization (O): Kubernetes use this as <GROUP>.

User & Admin Steps:

1. User: Create private key.

   1	openssl genrsa -out <USER>.key 2048

2. User: Create certificate signing request (CSR).

   1	openssl req -new -key <USER>.key -out <USER>.csr -subj "/CN=<USER>/O=<GROUP>"

   A <USER> can have multiple groups:

   1	openssl req -new -key <USER>.key -out <USER>.csr -subj "/CN=<USER>/O=<GROUP>/O=<GROUP>/O=<GROUP>"

3. User: send <USER>.key to Kubernetes administrator.

4. Admin: Create certificate from CSR using Cluster Key

   1	openssl x509 -req -in <USER>.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out <USER>.crt -days 3650

5. Admin: Send <USER>.crt to user.

6. User: Create kubectl config.

   Add cluster to kubectl config. (Associate a cluster name with cluster CA and server information.)

   1 2 3 4 5

   kubectl config \ set-cluster <CLUSTER-NAME> \ --certificate-authority=/etc/kubernetes/pki/ca.crt \ --embed-certs=true \ --server=https://<CLUSTER-IP>:6443

   Add credential to kubectl config. (Associate a certificate with a user name.)

   1 2 3 4 5

   kubectl config \ set-credentials <USER> \ --client-certificate=<USER>.crt \ --client-key=<USER>.key \ --embed-certs=true

   Add context to kubectl config. (Associate a context name with a user, cluster pair.)

   1 2 3 4

   kubectl config \ set-context <CONTEXT-NAME> \ --cluseter=<CLUSTER-NAME> \ --user=<USER>

   Set context to current(active). (Context is not set to current when created.)

   1 2	kubectl config \ use-context <CONTEXT-NAME> \

PS: At this point kubectl can communicate with the cluster(authenticated), but forbidden to perform any action(not authorized).

Authorization - Role Base Access Control (RBAC)

Kubernetes RBAC has Role and ClusterRole. A simple Role example is shown below.

Ref: Kubernetes Using RBAC

For Helm RBAC: Helm RBAC

RBAC Terms

• Subject: users, os processes, processes in pod, etc.
• API resources: nodes, pods, services, etc.
• Operations(Verbs): get, list, create, etc.

Create Namespace

Create namespace “test”:

1

kubectl create ns test

Create Role

Create a role with full access for “test” namespace.

test-admin-role.yml

1
2
3
4
5
6
7
8
9

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test:admin
  namespace: test
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

Deploy:

1

kubectl create -f test-admin-role.yml

Create RoleBinding

Create a role binding for “test” namespace and “test” group.

test-admin-bind.yml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test:admin
  namespace: test
subjects:
- kind: Group
  name: test
  apiGroup: ""
roleRef:
  kind: Role
  name: test:admin
  apiGroup: ""

Deploy:

1

kubectl create -f test-admin-bind.yml